-
-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how to get started #108
Conversation
Helm is central to how we deploy all services on kubernetes. | ||
|
||
* [helm]({{< relref "tools/helm.md" >}}) is essentially the package manager for Kubernetes (like `npm` for Node, `gem` for Ruby, and `rpm` for RHEL) | ||
* [helm charts](/helm-charts/) are how kubernetes resources are templatized using go templates |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Go
(capitalize language names)?
content/geodesic/module/_index.md
Outdated
@@ -5,3 +5,49 @@ description: "Geodesic modules are Git repositories that extend the Geodesic bas | |||
{{% dialog type="info" icon="fa fa-book" title="Read More" %}} | |||
⇠ Select one of these pages to learn more about the topic. | |||
{{% /dialog %}} | |||
|
|||
We believe that infrastructure as code should be treated just like all other code: tested, bundled into artifacts and automatically deployed. This is what `geodesic` solves. A geodesic module is a docker container/image contains all the code necessary deploy infrastructure. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A geodesic module is a docker container/image containing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Grammatically, I think the sentence should be "A geodesic module is a docker container/image which contains all the code necessary to deploy infrastructure" except I still don't know what that means. Maybe it's supposed to be "...all the code necessary to deploy itself"?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Nuru thanks for checking this out.
How is this? I really want to make sure this is clear. If you don't understand it, others won't either.
A geodesic module is a docker container/image which contains all the Infrastructure as Code necessary to provsion logically related IaaS resources (e.g. AWS Organizations, IAM Roles/Permissions, CDNs, S3 Buckets, Kubernetes Clusters, etc).
content/geodesic/module/_index.md
Outdated
- [Multi-stage Docker Builds]({{< relref "tools/docker/best-practices.md#multi-stage-builds" >}}) | ||
- [Terraform Root modules]({{< relref "terraform-modules/root/_index.md" >}}) | ||
- [Terraform Modules](/terraform-modules/) | ||
- [Polyrepos]({{< relref "glossary/polyrepo.md" >}}) to logically organize infrastructure. Use modules to import logic. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to logically organize infrastructure and use modules to import logic
content/geodesic/module/_index.md
Outdated
- [Terraform Modules](/terraform-modules/) | ||
- [Polyrepos]({{< relref "glossary/polyrepo.md" >}}) to logically organize infrastructure. Use modules to import logic. | ||
|
||
We prefer the polyrepo approach to the monorepo approach when it comes in infrastructure. Git repositories allow us to surgically tag/version parts of infrastructure. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to infrastructure
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reworded.
Git repositories allow us to surgically tag/version infrastructure code that represents some kind of business logic.
content/geodesic/module/_index.md
Outdated
|
||
The [`root.cloudposse.co`](https://github.com/cloudposse/root.cloudposse.co) module represents an organization's "root" or "top level" AWS account. This is typically your billing organization and handles IAM user account provisioning. | ||
|
||
It should also use the `terraform` resource [`aws_organizations_organization`](https://www.terraform.io/docs/providers/aws/r/organizations_organization.html) to provision all the subaccounts below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
content/geodesic/module/_index.md
Outdated
|
||
## prod.cloudposse.co | ||
|
||
The [`prod.cloudposse.co`](https://github.com/cloudposse/prod.cloudposse.co) module represents an organization's "production infrastructure". It's a subaccount (organization) of the [`root.cloudposse.co`](https://github.com/cloudposse/root.cloudposse.co). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a subaccount (organization)
Organization here sounds overloaded.
Maybe just subaccount or member account?
content/geodesic/module/_index.md
Outdated
|
||
## dev.cloudposse.co | ||
|
||
The [`dev.cloudposse.co`](https://github.com/cloudposse/dev.cloudposse.co) module represents an organization's "development infrastructure". This module is used as a sandbox environment where developers and test the waters and get familiar with AWS. We prescribe that organizations give all developers "Administrator" level privileges to this account in order to give them an unfettered opporutnity at developing infrastructure. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where developers test the waters
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice simplification. Always point these out to me.
content/geodesic/module/_index.md
Outdated
|
||
## audit.cloudposse.co | ||
|
||
The [`audit.cloudposse.co`](https://github.com/cloudposse/audit.cloudposse.co) module represents an organization's "audit logs infrastructure". By leveraging our [`terraform-aws-cloudtrail`](https://github.com/cloudposse/terraform-aws-cloudtrail) and [`terraform-aws-cloudtrail-s3-bucket`](https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket) modules, we make it exceptionally easy to ship CloudTrail logs from all your organizations to one central, highly restrictive organization whose sole purpose is to provide a tamper-proof, encrypted, system of record for infrastructure logs with [lifecycle rules]({{< relref "terraform/tips-tricks.md#s3-bucket-lifecycle-rules" >}}). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
from all your organizations
From all your accounts in the organization?
Or from Organizational Units (OUs)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
highly restrictive organization
highly restrictive account?
content/geodesic/module/_index.md
Outdated
|
||
## testing.cloudposse.co | ||
|
||
The [`testing.cloudposse.co`](https://github.com/cloudposse/testing.cloudposse.co) module represents an organization used for continuous integration testing of infrastructure code. By provisioning a separate, dedicated organization for this we are able to silo testing infrastructure so it doesn't pollute or in any way impact other environments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
represents an organizational unit used for continuous integration?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for continuous integration and testing of infrastructure code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By provisioning a separate, dedicated organizational unit (or just account) for this
content/glossary/monorepo.md
Outdated
tags: | ||
- polyrepo | ||
- monorepo | ||
description: "Monorepo refers to a strategy of storing all code for possibly unrelated applications with in the same source code repository." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
within
content/glossary/stage.md
Outdated
@@ -3,10 +3,18 @@ title: "Stage" | |||
description: 'One of the phases in the SDLC where by software is deployed to an environment. Common stages are “Production”, “Staging”, “QA” or “Development”' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
whereby
content/glossary/stage.md
Outdated
tags: | ||
- environment | ||
- sdlc | ||
- prod | ||
- staging | ||
- dev | ||
--- | ||
|
||
It's important to note that within a given stage, there might be multiple environments. We always prescribe separating multiple stages by using multiple AWS organizations. Then provisioning multiple environments within that stage as necessary. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by using multiple AWS accounts or organizational units
content/glossary/stage.md
Outdated
|
||
It's important to note that within a given stage, there might be multiple environments. We always prescribe separating multiple stages by using multiple AWS organizations. Then provisioning multiple environments within that stage as necessary. | ||
|
||
For example, the "staging" organization might run "pre-production" and "QA" environments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the "staging" account?
@@ -0,0 +1,10 @@ | |||
FROM r.cfcr.io/cloudposse/terraform-root-modules:0.1.0 as terraform-root-modules |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we get it from Docker Hub instead of CodeFresh for the example?
|
||
Here's what it looks like in practice: (only relevant portions) | ||
|
||
{{% include-code-block title="" file="terraform-modules/root/examples/Dockerfile" language="Dockerfile Snippet" %}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it correct language="Dockerfile Snippet"
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks
content/terraform/tips-tricks.md
Outdated
{{% include-code-block title="Example: Encrypted S3 Bucket" file="terraform/examples/encrypted-s3-bucket.tf" language="hcl" %}} | ||
|
||
For an example of how we use it, check out our [`terraform-aws-s3-log-storage`](https://github.com/cloudposse/terraform-aws-s3-log-storage) module. | ||
|
||
# Use Pre Commit Hooks for Linting | ||
|
||
We strongly urge that all code be linted prior to checking into to git. Running `terraform fmt` on the codebase before committing will accomplish this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
into Git
|
||
Inheritance is when you use `FROM some-image:1.2.3` (vs `FROM scratch`) in a `Dockerfile`. We recommend to leverage lean base images (E.g. `alpine` or `busybox`). | ||
|
||
Try to leverage the same base image as many of your images as possible for faster `docker pulls`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in as many of your images
|
||
# Use Scratch Base Image | ||
|
||
One often overlooked, ultimately lean base-image is the `scratch` image. This is an empty filesystem which allows one to copy/distribute the minimal set of artifacts. For languages that can compile statically linked binaries, using the `scratch` base image is the most secure docker image as there will be no other exploitable packages in the image. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
using the scratch
base image is the most secure way
content/tools/helm.md
Outdated
--- | ||
|
||
{{< img src="/assets/helm-d7685fec.png" title="Helm Logo" class="logo" >}} | ||
|
||
Helm makes it easy to install `charts` (a application) on kubernetes clusters. Just like `npm` or `apt` make it easy to install NodeJS modules and Debian packages, `helm` makes it easy to deploy a a full-fledged application with all of its dependencies on kubernetes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
an application
content/tools/helm.md
Outdated
--- | ||
|
||
{{< img src="/assets/helm-d7685fec.png" title="Helm Logo" class="logo" >}} | ||
|
||
Helm makes it easy to install `charts` (a application) on kubernetes clusters. Just like `npm` or `apt` make it easy to install NodeJS modules and Debian packages, `helm` makes it easy to deploy a a full-fledged application with all of its dependencies on kubernetes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
deploy a full-fledged application
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nicely written, just a few comments
what
why